Ben Laurie blathering

Too much of all of this discussion around OpenID focuses around whether or not itâ€™s OpenIDâ€™s job to solve this problem, whether it is insecure, whether it promotes phishing, and so on. But none of the discussion focuses on what you should actually *do* when you care about making it easy for people to use your site while keeping security good enough.

Someone smart on the topic care to tell me what I should be doing as a website maker, and as a potential OpenID user on other websites ?

So, the answer to this is: you should only accept OpenID logins from providers that use unphishable authentication. How can you know what authentication they use? Well, right now you can’t, but a group of us are about to work on the OpenID Provider Authentication Policy Extension (a.k.a. PAPE) which will enable you to find out.

Until then, my answer continues to be “just say no”, if you are a website maker. If you are an OpenID user, then the answer is to find a provider that supports unphishable authentication – at least you will be safe, even if the rest of the world continues to suffer.

This entry was posted
on Friday, June 20th, 2008 at 12:46 and is filed under Identity Management, Security.
You can follow any responses to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

2 Comments

By the same logic, would you advocate against developers using Google’s authentication API as encouraged by App Engine? Google’s authentication system has no protection against phishing, and App Engine encourages developers to use their authentication API which includes clicking through to a Google login page which could well be a phishing imitation.

In addition to Simon’s valid point that many other online authentication mechanism are subject to phishing – I would say that because of the long-time concerns the OpenID community has had in this area, OpenID is the *lest* vulnerable to phishing these days. That is because providers have really been focusing on making the experience as secure as possible. Vidoop’s imageshield technology, myOpenID’s ability to accept client-side TLS certs, phone calls, and to display a cookie-based image, and wordpress.com’s “bookmark takes you to HTTPS page” solutions all make phishing a lot harder than with many other authentication options (such as email+password, which is trivial to phish, like Facebook et al are all the time).

I also think it’s important not to confuse security concerns (having to do with what an attacker can do even if you’re careful) with phishing concerns (what an attacker can do if he steals your credentials).